Fixes bug in SQL queries created by spring-security-acl when using pr…

[lpavan]

…imary keys for ACL identity objects with types other than String

I´m using spring-security-acl in objects which have UUID as their primary key in a project that uses Microsoft SQL as database. I was getting the following stack trace:

org.springframework.dao.DataIntegrityViolationException: PreparedStatementCallback; SQL [select obj.object_id_identity as obj_id, class.class as class, class.class_id_type as class_id_type from acl_object_identity obj, acl_object_identity parent, acl_class class where obj.parent_object = parent.id and obj.object_id_class = class.id and parent.object_id_identity = ? and parent.object_id_class = (select id FROM acl_class where acl_class.class = ?)]; Unable to convert between java.util.UUID and JAVA_OBJECT.; nested exception is java.sql.SQLException: Unable to convert between java.util.UUID and JAVA_OBJECT.
	at org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.doTranslate(SQLStateSQLExceptionTranslator.java:102)
	at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:73)
	at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81)
	at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:81)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:660)
	at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695)
	at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727)
	at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:737)
	at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:787)
	at org.springframework.security.acls.jdbc.JdbcAclService.findChildren(JdbcAclService.java:91)
	at org.springframework.security.acls.jdbc.JdbcMutableAclService.clearCacheIncludingChildren(JdbcMutableAclService.java:378)
	at org.springframework.security.acls.jdbc.JdbcMutableAclService.updateAcl(JdbcMutableAclService.java:369)
[....]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.sql.SQLException: Unable to convert between java.util.UUID and JAVA_OBJECT.
	at net.sourceforge.jtds.jdbc.Support.convert(Support.java:632)
	at net.sourceforge.jtds.jdbc.JtdsPreparedStatement.setObjectBase(JtdsPreparedStatement.java:590)
	at net.sourceforge.jtds.jdbc.JtdsPreparedStatement.setObject(JtdsPreparedStatement.java:907)
	at org.springframework.jdbc.core.StatementCreatorUtils.setValue(StatementCreatorUtils.java:427)
	at org.springframework.jdbc.core.StatementCreatorUtils.setParameterValueInternal(StatementCreatorUtils.java:235)
	at org.springframework.jdbc.core.StatementCreatorUtils.setParameterValue(StatementCreatorUtils.java:166)
	at org.springframework.jdbc.core.ArgumentPreparedStatementSetter.doSetValue(ArgumentPreparedStatementSetter.java:66)
	at org.springframework.jdbc.core.ArgumentPreparedStatementSetter.setValues(ArgumentPreparedStatementSetter.java:47)
	at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:701)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:644)
        ... 104 common frames omitted

After trying to find out the cause of the error, including being suspicious of the database driver I was using, I tracked the bug down to the fact that the identifier of the ObjectIdentity is not converted to String when such identifier gets passed to a SQL query inside the classes JdbcAclService and JdbcMutableAclService.

It´s easy to see the problem looking at the class BasicLookupStrategy, where the following code gets it right(line 394) by correctly calling toString() in the object identity identifier:

spring-security/acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java

Lines 384 to 402 in d8f91e4

	Set<Long> parentsToLookup = jdbcTemplate.query(sql,
	new PreparedStatementSetter() {
	public void setValues(PreparedStatement ps) throws SQLException {
	int i = 0;
	for (ObjectIdentity oid : objectIdentities) {
	// Determine prepared statement values for this iteration
	String type = oid.getType();
	// No need to check for nulls, as guaranteed non-null by
	// ObjectIdentity.getIdentifier() interface contract
	String identifier = oid.getIdentifier().toString();
	// Inject values
	ps.setString((2 * i) + 1, identifier);
	ps.setString((2 * i) + 2, type);
	i++;
	}
	}
	}, new ProcessResultSet(acls, sids));

In order to be able to use spring-security-acl with UUIDs I also had to change the source code and add public to the class AclClassIdUtils just like in the issue #4814, what makes me believe that, as of now, not many other people are using spring-security-acl with objects with UUID as primary key elsewhere.

[pivotal-issuemaster]

@lpavan Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-issuemaster]

@lpavan Thank you for signing the Contributor License Agreement!

[eleftherias]

Thank you for the PR @lpavan. However, the same code changes have already been applied via d1a754f . Therefore, I am closing this PR.